SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Data We Don't Want


Data We Don't Want

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (284K reputation)SSC Guru (284K reputation)SSC Guru (284K reputation)SSC Guru (284K reputation)SSC Guru (284K reputation)SSC Guru (284K reputation)SSC Guru (284K reputation)SSC Guru (284K reputation)

Group: Administrators
Points: 284381 Visits: 19916
Comments posted to this topic are about the item Data We Don't Want

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
paul.knibbs
paul.knibbs
SSCertifiable
SSCertifiable (7.1K reputation)SSCertifiable (7.1K reputation)SSCertifiable (7.1K reputation)SSCertifiable (7.1K reputation)SSCertifiable (7.1K reputation)SSCertifiable (7.1K reputation)SSCertifiable (7.1K reputation)SSCertifiable (7.1K reputation)

Group: General Forum Members
Points: 7092 Visits: 6240
I could be really smug because I always use Firefox, but instead I'll allow myself to be gobsmacked that such an obvious flaw has made it into three major browsers. Who audits the code for these things?
Gary Varga
Gary Varga
SSC-Forever
SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)

Group: General Forum Members
Points: 41806 Visits: 6562
Steve Jones - SSC Editor (3/4/2013)
<snip/>This makes me want to re-architect the way we build data driven application in the future, to prevent this type of vandalism. Maybe building an application level firewall that proxies all access to a database server. The idea of application servers was very popular a decade ago, but it seems few systems actually implemented this type of architecture. Perhaps this is because the web server/database server pairing is such an easy paradigm to build for most developers.<snip/>

A lot of Enterprise developers, whose number I less than humbly count myself amongst, would love to properly architect and implement such systems. Often it is driven from above with the rapid and cheaper development options chosen. Sure, there are those developers who don't think like this and quite often they are the so called "web developers". Bearing in mind the dangers of generalisations, a lot of these developers come from a graphics/web design back ground or perhaps "the business" and don't see the value of software engineering. From a certain point of view, the economics of software engineering does not stack up...until things go wrong.

Often the cost of application frameworks is high, not "out of the box" (which often cost enough in the first place) and there are very few people with expertise in these frameworks.

As always we should be raising the level of abstraction of our frameworks to make leverage of them more cost effective. Unfortunately, we are still have yet to make logging, performance monitoring and such like work straight out of the box, perhaps straight out of each language, and built in through minor configuration only. Until we do this we will still be delivering a lower level of quality and have no hope for the level of maturity of applications suggested.

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Eric M Russell
Eric M Russell
SSC Guru
SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)

Group: General Forum Members
Points: 54817 Visits: 12431
paul.knibbs (3/5/2013)
I could be really smug because I always use Firefox, but instead I'll allow myself to be gobsmacked that such an obvious flaw has made it into three major browsers. Who audits the code for these things?

FireFox does support HTML5 Storage, are you sure it's implemented in a way that's safer than IE and Chrome? Go to the website Steve mentioned in his article and see.


"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
paul.knibbs
paul.knibbs
SSCertifiable
SSCertifiable (7.1K reputation)SSCertifiable (7.1K reputation)SSCertifiable (7.1K reputation)SSCertifiable (7.1K reputation)SSCertifiable (7.1K reputation)SSCertifiable (7.1K reputation)SSCertifiable (7.1K reputation)SSCertifiable (7.1K reputation)

Group: General Forum Members
Points: 7092 Visits: 6240
Eric M Russell (3/5/2013)
[quote]paul.knibbs (3/5/2013)
FireFox does support HTML5 Storage, are you sure it's implemented in a way that's safer than IE and Chrome? Go to the website Steve mentioned in his article and see.


The Ars Technica article that Steve linked to (which describes the exploit in more detail) says this:

"Of the browsers Aboukhadijeh tested, only Mozilla Firefox capped the download amount."

If the people who actually created the exploit say it's implemented in a safer way, I'm inclined to agree with them... :-)
Eric M Russell
Eric M Russell
SSC Guru
SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)

Group: General Forum Members
Points: 54817 Visits: 12431
That's a denial of service type attack that I hadn't expected, but it is an interesting attack vector. I wouldn't expect this to impact servers, but if servers are consuming web services, and using controls based on browsers, there is the possibility this type of attack might affect them. I'd hope this were limited to web servers and not impact database servers, but it's certainly a concern if you have processes running on your database server that might retrieve data from a remote source.

It's probably a good idea to use IPSec and firewall on application or database servers to disallow browsing of external IP addresses.


"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
andyw-834405
andyw-834405
SSChasing Mays
SSChasing Mays (646 reputation)SSChasing Mays (646 reputation)SSChasing Mays (646 reputation)SSChasing Mays (646 reputation)SSChasing Mays (646 reputation)SSChasing Mays (646 reputation)SSChasing Mays (646 reputation)SSChasing Mays (646 reputation)

Group: General Forum Members
Points: 646 Visits: 79
If FillDisk.com is a malicious site, why is it hyper-linked in your editorial? w00t
Gary Varga
Gary Varga
SSC-Forever
SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)

Group: General Forum Members
Points: 41806 Visits: 6562
andyw-834405 (3/5/2013)
If FillDisk.com is a malicious site, why is it hyper-linked in your editorial? w00t

...searching for the IT variation of a Darwin Award winner?

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
SQLRNNR
SQLRNNR
SSC Guru
SSC Guru (125K reputation)SSC Guru (125K reputation)SSC Guru (125K reputation)SSC Guru (125K reputation)SSC Guru (125K reputation)SSC Guru (125K reputation)SSC Guru (125K reputation)SSC Guru (125K reputation)

Group: General Forum Members
Points: 125406 Visits: 18627
paul.knibbs (3/5/2013)
... I'll allow myself to be gobsmacked that such an obvious flaw has made it into three major browsers. Who audits the code for these things?


+1



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw

andyw-834405
andyw-834405
SSChasing Mays
SSChasing Mays (646 reputation)SSChasing Mays (646 reputation)SSChasing Mays (646 reputation)SSChasing Mays (646 reputation)SSChasing Mays (646 reputation)SSChasing Mays (646 reputation)SSChasing Mays (646 reputation)SSChasing Mays (646 reputation)

Group: General Forum Members
Points: 646 Visits: 79
Gary Varga (3/5/2013)
andyw-834405 (3/5/2013)
If FillDisk.com is a malicious site, why is it hyper-linked in your editorial? w00t

...searching for the IT variation of a Darwin Award winner?

Wow, that was uncalled for... ;-)
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum







































































































































































SQLServerCentral


Search